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SYSTEM AND METHOD FOR REAL-TIME dimensional database for network intrusion detection and 

INSERTION OF DATA INTO A vulnerability assessment are disclosed that provide signifi- 

MULTI-DIMENSIONAL DATABASE FOR cant advantages over conventional network security tools. 

NETWORK INTRUSION DETECTION AND According to one aspect of the present invention, the 

VULNERABILITY ASSESSMENT 5 system includes a multi-dimensional database and a user 

interface operable to access and provide views into the 

TECHNICAL FIELD OF THE INVENTION multi-dimensional database. A data insertion engine is 

This invention relates in general to the field of computer ^"P 1 " 1 10 and °P erable t0 access the multi-dimensional 

network environments and, more particularly, to a system ,„ data °ase. The data insertion engine is further operable to 

and method for real-time insertion of data into a multi- 10 ' cccive a ««l-time data feed, to process the real-time data 

dimensional database for network intrusion detection and feed and to insert data ,Dt ° lb _ e multidimensional database 

vulnerability assessment. responsive to processing of the real-time data feed. In one 

embodiment, the real-time data feed can represent exploited 

BACKGROUND OF THE INVENTION network vulnerabilities, and the system can be used for 

15 network intrusion detection and vulnerability assessment. 

Managing networks can largely be a matter of risk man- According to another aspect of the present invention, the 
agement and decision support. Network administrators want mcthod includcs rcceivin a real . lime data feed reprcscn ting 
to minimize the r>sk of events such as equipment failure detectjon of a „ event and processing the evcnt against , he 
while, at the same time, maximize performance such as high mu i lW ; raensiori al database. Cells associated with the event 
bandwidth. These types of management tasks bring with 20 are idcntifled in Ac mu lti-dimensional database and appro- 
them a number of types of data management problems. For ria , e vec , ors tQ the identified ^lls are created. Data rep- 
example, for failures in the network, the types of questions ,. ^ 

event is then inserted at the identified cells, 

that an administrator needs to ask depend upon the current visibi|jt |0 the mserted data js ovided (hro b , usef 

context: such as how, where and when did the event occur imerface lQ , he multi . dirneDsiona i da , a base. In one 

Further, the desired context may change during the course of 25 embodiment) the event can ^ an exploited network 

an inquiry. For example, the question that ultimately leads to vulnerability, and the method can be used for intrusion 

an answer to a network problem may be quite different than dete ction and vulnerability assessment, 

the one with which the administrator began. T . t , . . . ~ , , . ..... 

° It is a technical advantage of the present invention that 

Assuming that detailed information about a network is rea l-time data feeds representing intrusion detection events 

available, effective navigation through such large amounts 30 are pr0C essed to generate data that is inserted real-time into 

of information generally requires hierarchical summanza- a multidimensional database. A network administrator can 

tion. For example, the schema for locating an event might be then mter f ace with the multi -dimensional database to obtain 

represented using the following: region, city, network, rea l-time visibility of intrusion events and any correlation to 

segment, device, operating system and version. Further, the known aspects of the network environment, 

level of detail needed can change during the course of an * , t [s anothcr technicaI advfl ^ a robust 

inquiry. For example, in order to solve a particular problem and intrusion delec tion tool can be 

in the southwest region ot a network,_ the network admin- iM ^ aUows 

intrusion detection events to be asso- 

■strator may need to identify the particular version of the ^ ^ fic ne(wort{ Ksomoes h ^ 

operating system on a specific device ,n that region of the fim]ed Qf ^ 

network. Other problems may not need that level of granu- w ^ , , . , , , 

I - t Other technical advantages of the present invention 

*\ , , , . . , should be apparent to one of ordinary skill in the art in view 

Further not only do network administrators worry about of ^ spccificatioilf ^ and claims . 

operational problems with the network, they should also 

manage the detection of and response to unauthorized intru- BRIEF DESCRIPTION OF THE DRAWINGS 

sions into the network. Such intrusion events need to be . . . , t „ . 

addressed to prevent or limit any exposure of critical data. A more com P' e,e ""demanding of the present invention 

T . f , and advantages thereof may be acquired by referring to the 

To help in this task, there are a number of conventional fl1 , • . • • i i 

..... . . following desenpuon taken in conjunction with the aexom- 

mtrusion detection systems available that can monitor the ° . r . ,. , ... J f , . _,. 

■ j j » •*» * . c c .u . m panying drawings, in which like reference numbers indicate 

network and delect intrusion events. Some of these system ' * . . 

. . „ , . ... so like features, and wherein: 

can also automatically respond to certain types of intrusion. 

The NETRANGER product, available from CISCO . FIG - 1 f a b ! ock dia S ram of a s y slem for real-lime 
SYSTEMS, INC., is one example of such an intrusion insertI0n of dala int0 a multidimensional database; 
detection system. Further, there are products that allow an FIG. 2 is a flow chart of one embodiment of a method for 
administrator to assess, in general, what vulnerabilities exist real-time insertion of data into a multi-dimensional data- 
in the network. The NETSONAR product, available from 55 base; 

CISCO SYSTEMS, INC., is one example of such a network FIGS. 3A, 3B, 3C and 3D are diagrams of one embodi- 

vulnerability assessment system. ment of vectors from dimensions to cells and intersections 

Although conventional security systems can ease the task wilnin a multi-dimensional database; 

of network administration, it is desirable to provide a system 60 FIG. 4 is a diagram of one embodiment of views into a 

that allows both robust viewing of network configuration multi-dimensional database; 

and vulnerability details as well as ongoing detection of and FIG. 5 A is a diagram of one embodiment of a slice view 

response to unauthorized intrusions into the network. into the multi -dimensional database of FIG. 4; 

o,t*„ - . M , ^ ™^ 1XT1 , rirPim , FIG. SB is a diagram of one embodiment of a pivot view 

SUMMARY OF THE INVENTION 65 from the slice view of FIG. 5A; 

In accordance with the present invention, a system and FIGS. 6 A and 6B are diagrams of one embodiment of 

method for real-time insertion of data into a multi- zooming views into a multi-dimensional database; and 
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FIGS. 7 A, 7B and 7C are diagrams of one embodiment of 
drill down views into a multi-dimensional database. 

DETAILED DESCRIPTION OF THE 
INVENTION 

FIG. 1 is a block diagram of a system, indicated generally 
at 10, for real-time insertion of data into a multi-dimensional 
database. System 10 can be implemented using computer 
systems having typical computer components such as a 
processor, memory, storage devices, etc. In the embodiment 
of FIG. 1, system 10 includes a multi-dimensional database 
12 that can be accessed by and viewed from a user interface 
14. User interface 14 can allow a user to view data stored in 
cells within multi-dimensional database 12. In system 10 of 
FIG. 1, a data insertion engine 16 is coupled to and inter- 
faces with multi-dimensional database 12. Data insertion 
engine 16 can receive and process a real-time data feed 18 
and insert associated data into multi-dimensional database 
12. Multi -dimensional database 12 can be characterized as 
having a number of hierarchical dimensions which can be 
defined by self-describing schema associated with database 
12. The hierarchical dimensions provide a structure by 
which the data is organized and can be visualized as a series 
of honeycombs nested within one another. Some general 
aspects of conventional multi -dimensional databases, for 
example, are disclosed and described in U.S. Pat. Nos. 
5,647,058; 5,319,777; 5,592,666 and 5,721,910. 

As an extension upon conventional uses for multi- 
dimensional databases, it has been determined that one of 
the more effective ways to deal with a network administra- 
tor's requirements is to store network information in a 
multi-dimensional database that fully represents the man- 
aged network environment. The multi-dimensional database 
can then support flexible query techniques against the stored 
data such as slices, pivoting, zooming and drill down. The 
manner in which the database cells are aggregated and 
nested can be dictated by hierarchical rules defined for each 
of the database's dimensions. For example, network events 
could be stored in a simple multi-dimensional database 
based on three basic indices: time, address space, and event 
type. Every cell within the honeycomb, regardless of its 
level within hierarchies, also can contain some type of scalar 
data (e.g., counts, averages, min/max values, etc.) These 
types of constructs make it possible to view information 
relative to points of intersection across one or more of the 
database dimensions. For example, a hypothetical query 
might be to "show the number of hosts (scaler value) that 
have been accessed since Friday (time) via a telnet session 
(event type) from outside the network (address space)." 

One problem with multi-dimensional databases as applied 
to the problem of providing visibility into network data is 
that such databases do not support real-time data feeds. 
Real-time data feeds, however, are needed for intrusion 
detection systems that allow an administrator to react to 
real-time events. The lack of support for a real-time data 
feed is, in part, due to a reliance on sparsely populated, 
highly indexed and denormalized data storage. In contrast, 
multi-dimensional database 12 results from a strategy for 
maintaining real-time data feeds into the cells at every level 
of multi-dimensional database 12 based upon a vectored 
arrayed database construct. 

In the embodiment of FIG. 1, data insertion engine 16 
operates to receive real-time data feed 18 which provides 
information to be inserted into multi-dimensional database 
12. This information can, for example, represent real world 
events such as detected network intrusion events. Data 
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insertion engine 16 processes real-time data feed 18 with 
built-in intelligence about the structure of multi -dimensional 
database 12. Data insertion engine 16 then identifies data to 
be inserted into multi-dimensional database 12 as well as 
cells to receive the inserted data. Data insertion engine 16 
also creates vectors from the dimensions of multi- 
dimensional database 12 into those cells. Data insertion 
engine 16 then inserts data into multi-dimensional database 
12 based upon this processing of real-time data feed 18. 
Once the data is inserted, user interface 14 provides visibil- 
ity to that real-time data as other data stored within multi- 
dimensional database 12. 

In one implementation, multi-dimensional database 12 
can be used to store and provide views into network envi- 
ronment information needed by a network administrator. In 
this implementation, multi-dimensional database 12 can 
store data representing the results of a network vulnerability 
assessment of the network. For example, generating network 
vulnerability assessment data and storing it in a multidimen- 
sional database are disclosed and described in U.S. patent 
application Ser. No. 09/107,964, entitled "System and 
Method for Rules-driven Multi-phase Network Vulnerabil- 
ity Assessment", the disclosure of which is incorporated 
herein by reference. Further in this implementation, real- 
time data feed 18 can provide information about network 
intrusion events identified, for example, by an intrusion 
detection system such as the NETRANGER product avail- 
able from CISCO SYSTEMS, INC. Data insertion engine 16 
can process this real-time data feed 18 to associate the 
intrusion events with cells in multi-dimensional database 12 
that are appropriate for representing the occurrence of the 
intrusion events. For example, data insertion engine 16 can 
associate an intrusion event with the host machine and 
service against which the attack was directed. Then, data 
insertion engine 16 can create appropriate vectors to those 
cells and insert data at those cells to record the occurrence 
of the intrusion event. This intrusion data then augments the 
vulnerability data already stored within multi-dimensional 
database 12. Subsequently, user interface 14 can operate, 
passively and actively, to provide visibility and response to 
this inserted data. For example, user interface 14 can pas- 
sively allow a user to view what intrusion events have 
occurred. Actively, user interface 14 could monitor certain 
cells and categories of data and react to insertions by 
notifying a network administrator (e.g., by e-mail, pager, 
call, alarm, etc.). Once created, multi-dimensional database 
12 can present, for example, this vulnerability assessment 
and intrusion detection information through a variety of 
different user interfaces, including a browser-type interface, 
that provide significant freedom in how the data is viewed. 

FIG. 2 is a flow chart of one embodiment of a method for 
real-time insertion of data into a multi-dimensional data- 
base. As shown, in step 20, a data insertion engine can 
receive a real-time data feed representing the detection of an 
event, for example, the exploitation of a vulnerability within 
a network. Then, in step 22, the data insertion engine can 
process the event against a multi-dimensional database. For 
example, the multi-dimensional database can store data 
representing the network environment, including known 
vulnerabilities of the network. In step 24, the data insertion 
engine can identify cells in the database that are associated 
with the real-time event. For example, the insertion engine 
could identify cells that are linked to the host machine, 
service and confirmed vulnerability that was exploited. In 
step 26, the data insertion engine creates appropriate vectors 
to the identified cells. Then, in step 28, the data insertion 
engine inserts data at those cells indicating the exploited 
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vulnerability. In step 29, visibility to the real-time event is 
provided through the user interface. For example, a user 
could be allowed to view data within the multi-dimensional 
database that includes information about an exploited vul- 
nerability. In addition, as mentioned above, the user inter- 
face could actively react to the insertion of data, for 
example, by alerting a network administrator that a particu- 
lar exploited vulnerability event had occurred. 

FIGS. 3A, 3B, 3C and 3D are diagrams of one embodi- 
ment of vectors from dimensions to cells and intersections 
within a mu Hi -dimensional database, indicated generally at 
30. In the embodiment of FIG. 3, the database has seven 
dimensions 32 each having a hierarchical structure. In 
particular, dimensions 32 representing categories of infor- 
mation about a network environment and include: host 
address, ports, services, operating system, vulnerability 
(potential), vulnerability (confirmed) and vulnerability 
(exploited). As shown, dimension nodes 33 of dimensions 
32 are linked by vectors 35 to cells 34, each of which can 
store some type of scalar data. As should be understood, 
database 30 comprises large numbers of cells 34 which are 
linked to dimensions 32, In the example of FIG. 3, cells 34 
can be considered logically grouped in that they have 
vectors linking them to the same host address on host 
dimension 32. Also, each cell 34 has vectors linking it to 
different ports and services but the same operating system. 
Further, a potential vulnerability exists with respect to one 
cell 34, while a confirmed vulnerability exists with respect 
to the other cell 34. In other words, the host address/ 
operating system/port/service of one cell 34 has a confirmed 
vulnerability, while the host address/operating system/port/ 
service of the other cell 34 has a potential vulnerability. 
Further, one of cells 34 is linked to an exploited vulnerability 
showing that one or more intrusion events were detected that 
involved the exploitation of a linked confirmed vulnerability 
on the linked host address/operating system/port/service. 

The hierarchical structure of each dimension 32 can be 
defined as appropriate for the particular application. In 
general, each dimension hierarchy begins at a generic level 
and ends at a specific level with respect to that dimension. 
For example, the following tables provide example hierar- 
chies for the host address and operating systems dimensions 
32 shown in FIG. 3. 

TABLE 1 
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The database entity relationships within database 30 of 65 
FIG. 3 can be summarized as follows. Hierarchies of dimen- 
sions 32 are classic B-Trees where: a child node has only one 



parent (1-1), and a parent can have one or more children 
(1-N)- A dimension node 33 can map to one or more 
database cells 34 (1-N) via one or more vectors 35. Also, a 
database cell 34 can map to one or more dimension nodes 33 
(N-l) via one or more vectors 35, 

Due to the vectored structure, database 30 can easily be 
navigated from any particular dimension or set of dimen- 
sions to other dimensions or set of dimensions. This supports 
the implementation of a flexible and robust user interface to 
provide views into database 30. For example, a view of a 
host address with a particular operating system can easily be 
switched to a view of that host address with a particular 
confirmed vulnerability by simply following one link out 
from cell 34 to the confirmed vulnerability dimension 32. 
The vectors 35 linking dimensions 32 to cells 34 can be 
accomplished using a link list vectored array data structure. 
Note that leaf nodes 33 of each dimension hierarchy link to 
a physical point of intersection or cell 34. Higher order 
nodes 33 in a dimension hierarchy may map to aggregations 
of cells 34. Within this structure, each cell of a grid interface 
view (or slice view) of database 30 can represent a point of 
intersection between dimension nodes 33. 

FIGS. 3A, 3B and 3C show embodiments of three types 
of intersection. FIG. 3 A shows a leaf node to leaf node (L-L) 
intersection, FIG. 3B shows a leaf node to aggregate node 
(L-A) intersection, and FIG. 3C shows an aggregate to 
aggregate (A-A) intersection. As shown, the grid views 
display scalar values 36 at the points of intersection. Cal- 
culation of a scalar value 36 for any given point of inter- 
section (L-L, L-A, or A-A) is effectively a two step process 
that relies on the ability to map a node 33 to its correspond- 
ing database cell(s) 34 and then to identify the vectors) 35 
to the opposing dimension 32. Once these linkages are 
established, it is possible to calculate the associated scalar 
value(s) 36. For example, FIG. 3B shows scalar values at 
four leaf node to leaf node intersections. Then, FIG. 3C 
shows a scalar values 36 for two leaf node to aggregate node 
intersections where two of the leaf nodes of FIG. 3B have 
been aggregated. Further, FIG. 3D shows a scalar value 36 
for an aggregate node to aggregate node intersection where 
the remaining two leaf nodes of FIG. 3C have been aggre- 
gated. 

FIG. 4 is a diagram of one embodiment of views into a 
multi-dimensional database. As shown, a multi-dimensional 
database 36 could have among its dimensions the following 
three dimensions: a host address dimension 38, a service 
dimension 40 and an operating system dimension 42. One 
way to view data within database 36 is via a two- 
dimensional slice 44 of database 36. Slice 44 can thus 
provide a grid view of daia based upon the point or set of 
intersection of two selected dimensions at selected levels 
within the hierarchy of the selected dimensions. Another 
view of database 36 can ihen be obtained via a pivot 46. 
Pivot 46 is a shift from viewing slice 44 by changing one of 
the dimensions being viewed. 

FIG. 5A is a diagram of one embodiment of a slice view 
into the multi-dimensional database of FIG. 4. As shown, 
slice 44 can provide a view based upon selecting operating 
system dimension 42 and host address dimension 38. Thus, 
slice 44 could show which host addresses have which 
operating systems at various levels of granularity. FIG. 5 A, 
however, does not detail at what level within the hierarchies 
of each dimension is being viewed. A viewing aspect called 
zooming, which is described with respect to FIGS. 6A and 
6B, allows a user to move up and down within the levels of 
Ihe dimension hierarchy of slice 44. 

FIG. 5B is a diagram of one embodiment of a pivot view 
from the slice view of FIG. 5A. As shown, pivot 46 involves 
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changing one of the dimensions being viewed. In this 
example, operating system dimension 42 is replaced with 
service dimension 40. Thus, the view into database 36 has 
been pivoted at the same hierarchical level of host address 
dimension 38 to show its intersection with service dimen- 5 
sion 40. This new view then shows, for example, which 
services are available on which host adresses. 

FIGS. 6A and 6B are diagrams of one embodiment of 
zooming views into a multi-dimensional database. As 
shown, a window 50 can include controls 52 and a banner 10 
54 which indicates the current dimensions being viewed. In 
the example of FIG. 6 A, the current view is a slice with 
dimensions of confirmed vulnerabilities 56 and operating 
system 58. Further, both dimensions are viewed with two 
layers of the hierarchy exposed. For example, operating 15 
system dimension 58 shows one level down to: network 
printers, workstations and routers. Confirmed vulnerability 
dimension 56 shows one level down to: access and recon- 
naissance vulnerabilities. Further, the slice view of FIG. 6A 
provides scalar data 60 at the intersection of dimensions 56 2Q 
and 58. In the example shown, there are 12 confirmed access 
vulnerabilities and 46 confirmed reconnaissance vulnerabili- 
ties on workstations. Also, there is one confirmed access 
vulnerability on a network printer. The vulnerabilities are 
distributed across these network devices. To understand how 25 
these vulnerabilities occur by host address, the information 
could be viewed by that dimension or a drill down view 
could be used. 

FIG, 5B is a diagram of one embodiment of zooming from 
the slice view of FIG. 6A to the slice view of FIG. 6B. As 30 
shown, the view is still provided within a window 50 that has 
controls 52 and a banner 54. Also, dimensions 56 and 58 
have not changed except for the level within the hierarchy of 
the confirmed vulnerability dimension 56. In this dimension 
56, another level within the hierarchy has been uncovered 35 
which includes the shown types of access vulnerabilities. 
Further, the scalar data 60 has been expanded to show, for 
example, that the twelve workstation access vulnerabilities 
fall into the indicated five types. Thus, the zooming function 
allows a user to change the granularity with which the data 40 
is viewed by moving up and down within the hierarchy of 
the particular dimensions. 

FIGS, 7A, 7B and 7C are diagrams of one embodiment of 
drill down views into a multi-dimensional database. As 
shown in FIG. 7 A, a window 70 can include controls 72 and 45 
a banner 74. Banner 74 provides an indication of dimensions 
of the database being viewed. For example, the information 
being viewed is a list of host IP addresses for workstations 
that have confirmed vulnerabilities of the type "access". 
Referring back to FIG. 6 A, there might be twelve instances 50 
of confirmed access vulnerabilities on workstations. The 
drill down view of FIG. 7A involves displaying detailed 
physical information about the characteristics of the host 
machines where those vulnerabilities occur. Thus, column 
headings 76 and physical information 78 provide data about 55 
the specific network devices that are summarized by the 
scalar data of FIG, 6A. In this manner, users can incremen- 
tally drill down from summary information to physical 
information to gain specific information about a particular 
entry. 60 

FIG. 7B shows that a user has selected the "Recon:RPC 
Reconnaissance: 1106" vulnerability underneath the host 
system with an IP address of "10.1.6.50." FIG. 7C then 
shows the user obtaining a full list of host IP addresses that 
share the "Recon:RPC Reconnaissance: 1106" vulnerability. 65 
Thus, the user can pivot from viewing the list of hosts 
sharing confirmed vulnerabilities of type "access" to view- 



ing a list of hosts sharing a confirmed vulnerability of 
"Recon:RPC Reconnaissance: 1106". 

A user can thus switch between slice, pivot, zooming and 
drill down views of data in the multi-dimensiona! database 
to view needed network information. The slice view gener- 
ally displays points or sets of intersection of varying size, 
and the zoom view allows changes of the level and size of 
the sets (e.g., higher within the hierarchy equates to a larger 
set and vice versa). The pivot view allows a different set of 
intersection to be viewed, and the drill down view allows 
identification of those hosts that make up the set at a 
particular intersection. Together, this provides a robust inter- 
face into the data held within the multi-dimensional database 
that can be particularly advantageous for a network admin- 
istrator trying to trouble shoot issue with the manage net- 
work. 

Thus, the user interface can provide a grid browser type 
view into the data that displays data at different levels of 
granularity and from different perspectives. The multi- 
dimensional database and user interface integrated with the 
ability to process real-time data feeds and insert real-time 
data into the multi-dimensional database provide significant 
advantages. The multi -dimensional database can capture a 
complex yet navigable view of the network configuration as 
well as assessed vulnerabilities. The real-time data feed can 
provide important data as to the existence of intrusion 
events. The integration of these features can provide a robust 
real-time vulnerability assessment and intrusion detection 
tool allowing intrusion detection events to be associated 
with specific network resources having known confirmed or 
potential vulnerabilities. 

Although the present invention has been described in 
detail, it should be understood that various changes, substi- 
tutions and alterations can be made thereto without depart- 
ing from the spirit and scope of the invention as defined by 
the appended claims. 

What is claimed is: 

1. A system for real-time insertion of data into a multi- 
dimensional database, comprising: 

a multi-dimensional database; 

a user interface operable to access and provide views into 
the multi-dimensional database, wherein the views 
comprise any of a slice, a pivot or a zoom view; and 

a data insertion engine coupled to and operable to access 
the multi-dimensional database; 

the data insertion engine further operable to receive a 
real-time data feed provided by a network intrusion 
detection system, to process the real-time data feed and 
to insert data into the multi-dimensional database 
responsive to processing of the real-time data feed. 

2. The system of claim 1, wherein the real-time data feed 
represents detection of an event. 

3. The system of claim 2, wherein the multi-dimensional 
database stores data representing a configuration of a net- 
work environment. 

4. The system of claim 3, wherein the configuration of the 
network environment includes network vulnerability infor- 
mation. 

5. The system of claim 4, wherein the event is an 
exploited vulnerability within the network environment. 

6. The system of claim 5, wherein the user interface is 
further operable to actively alert a system administrator 
responsive to the exploited vulnerability. 

7. The system of claim 5, wherein dimensions of the 
multi-dimensional database comprise host address, operat- 
ing system, ports, and services. 
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8. The system of claim 7, wherein the dimensions further 
comprise confirmed vulnerabilities, potential vulnerabilities 
and exploited vulnerabilities. 

9. The system of claim 1, wherein the user interface is 
further operable to provide views that comprise drill down 5 
views. 

10. A method for real-time insertion of data into a 
multi-dimensional database, comprising: 

receiving a real-time data feed representing detection of 
an event, the real-time data feed being provided by a 10 
network intrusion detection system; 

processing the event against the multi-dimensional data- 
base; 

identifying cells in the multidimensional database that 5 

are associated with the event; 
creating appropriate vectors to the identified cells; 
inserting data representing the event at the identified cells; 

and 

providing visibility to the inserted data through a user 20 
interface, wherein providing visibility includes provid- 
ing views that comprise any of a slice, a pivot or a zoom 
view. 

11. The method of claim 10, wherein the multi- 
dimensional database stores data representing a configura- 25 
tion of a network environment. 

12. The method of claim 11, wherein the configuration of 
the network environment includes network vulnerability 
information. 

13. The method of claim 12, wherein the event is an 30 
exploited vulnerability within the network environment. 

14. The method of claim 13, further comprising actively 
alerting a system administrator responsive to the exploited 
vulnerability. 

15. The method of claim 14, wherein dimensions of the 35 
multi-dimensional database comprise host address, operat- 
ing system, ports, and services. 

16. The method of claim 15, wherein the dimensions 
further comprise confirmed vulnerabilities, potential vulner- 
abilities and exploited vulnerabilities. 40 

17. The method of claim 10, wherein the views further 
comprise drill down views. 

18. A system for real-time insertion of data into a multi- 
dimensional database, comprising: 

a storage device; 45 
an application stored on the storage device, the applica- 
tion operable to: 



receive a real-time data feed representing detection of 
an event, the real-time data feed being provided by 
a network intrusion detection system; 

process the event against the multi-dimensional data- 
base; 

identify cells in the multi-dimensional database that are 

associated with the event; 
create appropriate vectors to the identified cells; 
insert data representing the event at the identified cells; 

and 

provide visibility to the inserted data through a user 
interface, wherein providing visibility includes pro- 
viding views that comprise any of a slice, a pivot or 
a zoom view. 

19. The system of claim 18, wherein the event is an 
exploited vulnerability within the network environment. 

20. The system of claim 18, wherein dimensions of the 
multi-dimensional database comprise host address, operat- 
ing system, ports, and services. 

21. The system of claim 20, wherein the dimensions 
further comprise confirmed vulnerabilities, potential vulner- 
abilities and exploited vulnerabilities. 

22. A system for real-time insertion of data into a multi- 
dimensional database, comprising: 

means for receiving a real-time data feed representing 
detection of an event, the real-time data feed being 
provided by a network intrusion detection system; 

means for processing the event against the multi- 
dimensional database; 

means for identifying cells in the multi-dimensional data- 
base that are associated with the event; 

means for creating appropriate vectors to the identified 
cells; 

means for inserting data representing the event at the 

identified cells; and 
means for providing visibility to the inserted data through 

a user interface, wherein providing visibility includes 

providing views that comprise any of a slice, a pivot or 

a zoom view. 

23. The system of claim 22, wherein the event is an 
exploited vulnerability within the network environment. 

24. The system of claim 22, wherein dimensions of the 
multi-dimensional database comprise host address, operat- 
ing system, ports, and services. 

25. The system of claim 24, wherein the dimensions 
further comprise confirmed vulnerabilities, potential vulner- 
abilities and exploited vulnerabilities. 
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